Can we copy every profile of project inside apparmor.d directory?

[osevan]

Can we do this on already running apparmor protected system?

Im asking because why go pkg and recompile of apparmor lsm is needed and additonal install notes required.

Thanks and

Best regards

[roddhjav]

Short: There is a reason why it works this way.

I am not sure I understand your question:

• Can we do this on already running apparmor protected system?

  Yes, having apparmor enabled and installed is actually a requirement as this project is only providing additional profiles.

• Im asking because why go pkg and recompile of apparmor lsm is needed and additonal install notes required.

  There is no additional install setup. The only thing you have to do is to build and install a package (tailored for your distribution).

Long: When you run make the following is done on the profiles:

• Merge all profiles in one unified directory as apparmor is not compatible with the groups and profile-x-y directory structure.
• Bypass userspace tools restriction (See Error message regarding @{exec_path} #76 and aa-logprof partially broken even when installing specific profiles #87). This is a long running bug in upstream that prevents the use of variables in profile attachment for userspace tools (aa-complain, aa-logprof...). The fix in apparmor.d is the reason why this prebuild is in go and not in bash (it used to be in bash).
• Set complain/enforce mode on all profiles
• Apply distribution specific settings: extra abstraction, profiles, fix incompatibilities
• Ignore profile ignored in dists/ignore/
• Set flags configuration from dists/ignore/
• Some drop-in system config file are needed to ensure apparmor profile are loaded before some services
• Compile aa-log

[osevan]

Could you go deeper here?

"Some drop-in system config file are needed to ensure apparmor profile are loaded before some services"

Its possible to load apparmor as pid1?

I mean before init system?

[roddhjav]

We simply need to ensure the profiles are loaded into the kernel before the start of some services are loaded (see the systemd directory). It simply means we need to ensure that systemd is going to start apparmor.service before services such as systemd-journald.service, systemd-networkd.service...

Note: there are other methods to actually load the profiles into the kernel before even starting systemd, however, it is not used (yet) in this project.

[osevan]

Userspace tools like aa-complain .*. Still works inside apparmor.d directory ?

aa-enforce .*. Too?
aa-logorof too like everytime?

After installed it is in enforcement or in complain mode by default?

[roddhjav]

All aa tools work as expected. As explained in the documentation, the profile are in complain mode by default, then you can put then in enforce mode: https://apparmor.pujol.io/enforce/

[osevan]

Udisk makes trouble, when usb stick plugged in

Os= artix linux.

Every profile are in complain mode

Only works again when sudo aa-teardown and module is unloaded.

[roddhjav]

Please share the apparmor log, so I can fix the issue. See https://apparmor.pujol.io/report/

Also please create an issue for this, a discussion is not the best place for bug report.

[osevan]

sudo aa-disable dbus-daemon-launch-helper

Helped.

But no log output..
Where should i look?

[osevan]

Jup i double checked no logs spit out, but disabling this above helped.